Ledger’s Chief Technology Officer Charles Guillemet has sounded an alarm over what he described as one of the most serious supply chain attacks ever to hit the JavaScript 0 Issues Urgent Warning On Monday, Ledger CTO Guillemet posted on X that the npm account of a reputable open-source maintainer had been compromised, leading to malicious updates across widely used software 1 wrote, “There’s a large-scale supply chain attack in progress… the entire JavaScript ecosystem may be at risk.” He stressed that hardware wallet users remain secure if they verify every transaction, but advised all others to stop conducting blockchain transactions 2 Updates to Widely Used Packages The breach occurred on September 8 when hackers gained access to the npm account of Josh Goldberg, known as “Qix.” Attackers published corrupted versions of 18 packages, including chalk, debug, strip-ansi, and color-convert, which collectively account for more than 2.6 billion weekly downloads and are embedded in core developer tools like Babel and 3 discovered that the injected code carried “crypto-clipper” malware designed to intercept browser 4 payload swaps legitimate wallet addresses with attacker-controlled ones and, in some cases, hijacks wallet communications to modify transactions before signatures are 5 malware was first detected after a build error revealed hidden obfuscated 6 Attack Strategy Analysis showed the malware was engineered with dual tactics: passively replacing wallet addresses with lookalikes, while actively intercepting and altering transactions on browser-based wallets such as 7 layered approach allowed attackers to redirect funds seamlessly, often without users 8 suggest the breach originated from a phishing attack on npm 9 emails, posing as official npm security notices, instructed recipients to update two-factor authentication or risk account 10 who followed the link were directed to a fake login page, allowing attackers to seize credentials and infiltrate Goldberg’s 11 inside, the attackers distributed malicious versions of the core packages, effectively weaponizing software tools relied upon by 12 firm Aikido noted that the code functioned as a browser interceptor, capable of rewriting payment destinations, altering API calls, and tampering with website 13 Fallout and Industry Concerns Although npm has removed many of the compromised versions, security experts warn that hidden transitive dependencies make it difficult to fully contain the 14 are being urged to audit projects, pin known-safe package versions, and rebuild lockfiles 15 incident underscores the fragility of the open-source ecosystem, which depends heavily on trust between maintainers and 16 wallet addresses linked to stolen funds already surfacing on-chain, researchers are calling the attack one of the most severe in the history of the JavaScript ecosystem.
Disclaimer: This article is provided for informational purposes 17 is not offered or intended to be used as legal, tax, investment, financial, or other advice
Story Tags
Latest news and analysis from Crypto Daily
